Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #8712 (closed)

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

Bug: Member and read permissions

Reported by: jburel Owned by: jburel
Priority: blocker Milestone: OMERO-4.4
Component: Services Version: n.a.
Keywords: n.a. Cc: jamoore
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: 2012-05-22 (15)

Description

A basic user in RW, RWR, or RWRA is able to delete other member's data.

Test available in jburel/permission

Change History (10)

comment:1 Changed 7 years ago by jmoore

Jean-Marie, specifically what test?

comment:2 Changed 7 years ago by jmoore

I'm guessing RolesTest.testInteraction?

  • for rw, the report returned is "Object missing."
  • for rwr, it's also not actually deleting the object.

We'll need to modify the tests to test for deletion, and perhaps open a bug to have an error raised if the top-level object is not found (this goes for chgrp, too).

comment:3 Changed 7 years ago by jburel

I will review the tests and check that we have something in place for the DeleteServicePermission tests

comment:4 Changed 7 years ago by wmoore

I find that a member of 'rwrw--' is NOT able to delete another user's data. See #8723.

comment:5 Changed 7 years ago by jburel

tests reviewed/modified:

  • chmod/Roles:
    • Failing: testInteractionByAdminRW and testInteractionByGroupOwnerRW, both awaiting the change of canEdit discussed above.
  • DeleteServicePermissionsTest
    • failing testDeleteObjectByMemberRWRW

comment:6 Changed 7 years ago by jmoore

  • Cc jmoore added
  • Owner changed from jmoore to jburel 
@chmod_web_8434 /tmp/scratch $ ./build.py -Dtestng.verbose=10 -Dtestng.useDefaultListeners=true -f components/tools/OmeroJava/build.xml test -DTEST=RolesTest
...
PASSED: testInteractionByAdminRW on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByAdminRWR on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByAdminRWRA on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByAdminRWRW on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByGroupOwnerRWR on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByGroupOwnerRWRA on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByGroupOwnerRWRW on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByMemberRW on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByMemberRWR on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByMemberRWRA on instance null(integration.chmod.RolesTest)
PASSED: testInteractionByMemberRWRW on instance null(integration.chmod.RolesTest)
FAILED: testInteractionByGroupOwnerRW on instance null(integration.chmod.RolesTest)
junit.framework.AssertionFailedError: Group owner should not be allowed to delete an image/dataset link.
	at junit.framework.Assert.fail(Assert.java:47)
	at integration.chmod.RolesTest.testInteractionByGroupOwnerRW(RolesTest.java:239)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:74)
	at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
	at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:846)
	at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1170)
	at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
	at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
	at org.testng.TestRunner.runWorkers(TestRunner.java:1125)
	at org.testng.TestRunner.privateRun(TestRunner.java:749)
	at org.testng.TestRunner.run(TestRunner.java:600)
	at org.testng.SuiteRunner.runTest(SuiteRunner.java:317)
	at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:312)
	at org.testng.SuiteRunner.privateRun(SuiteRunner.java:274)
	at org.testng.SuiteRunner.run(SuiteRunner.java:223)
	at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
	at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
	at org.testng.TestNG.runSuitesSequentially(TestNG.java:1007)
	at org.testng.TestNG.runSuitesLocally(TestNG.java:932)
	at org.testng.TestNG.run(TestNG.java:868)
	at org.testng.TestNG.privateMain(TestNG.java:1150)
	at org.testng.TestNG.main(TestNG.java:1114)
===============================================
    Ant test
    Tests run: 12, Failures: 1, Skips: 0
===============================================
...

Tests all seem to be passing except for the status of a group-owner, which was discussed today. Passing back to you, J-M, for handling. (We really should have a place for tests which test the difference between client and server expectations. Any ideas?)

comment:7 Changed 7 years ago by jburel

I will add more test for the difference between the 2 following today's discussion

comment:8 Changed 7 years ago by jburel

  • Status changed from new to closed

comment:9 Changed 7 years ago by jburel <j.burel@…>

(In [68378aabf1b8004cd027573a4994afa704e37a59/ome.git] on branch develop) Review permissions test (see #8712).

comment:10 Changed 7 years ago by jburel <j.burel@…>

(In [bcbef5b9011b02828e320847f78ba1bdb8d6bfdf/ome.git] on branch develop) Review test following permission discussion. (see #8712)

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.85197 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!